A cyber security consultant could have saved Marks & Spencer £300 million. That’s roughly what the retailer lost in operating profit after the DragonForce ransomware attack in April 2025. The attackers didn’t exploit some exotic zero-day vulnerability. They phoned the service desk, pretended to be an employee, got a password reset, and walked through the front door. The entire breach started with a conversation.
I keep thinking about that phone call. Not because it was sophisticated, but because it wasn’t. Someone rang a third-party helpdesk, gave a name, and received credentials to one of Britain’s largest retail networks. No phishing link. No malware attachment. Just a person talking to another person who didn’t ask enough questions.
What a Cyber Security Consultant Actually Does
There’s a persistent confusion about this role that costs businesses money. Most SME owners think the role means someone you call after something goes wrong. A fixer. The person who shows up when the ransom note appears on your screen at 6am on a Tuesday.
That’s an incident responder. Different job entirely.
Someone in that role reviews your systems, your processes, and your people before anything happens. They look at who has access to what, whether your backup actually restores, and if your staff would hand over credentials to someone pretending to be from IT. The work is boring on paper. Permissions audits. Cyber Essentials gap assessments. Firewall rule reviews. Policy documents that nobody reads but everyone needs.
The M&S attack is a textbook example of what happens without this. Their NTDS.dit file, the Active Directory database that stores every password hash on the network, was exfiltrated weeks before the ransomware deployed. A consultant reviewing privileged access controls and service desk authentication procedures would have flagged the exact weakness that Scattered Spider exploited. Maybe in February, when the initial intrusion reportedly happened, rather than in April when the damage was done.
The Gap Between What SMEs Think They Have and What They Actually Have
I audit small businesses in London regularly. The pattern is almost tedious in its consistency. The company has antivirus. They have a firewall. Someone set up MFA on Microsoft 365 at some point in 2023 — or was it late 2022? They assume these three things constitute a security posture.
They don’t.
Last month we reviewed a charity with 40 staff. Good antivirus, current firewall, MFA enabled. But their shared drives had no access restrictions. Every employee could read every file, including HR records, financial projections, and donor data. Their data protection policy existed as a Word document on the managing director’s desktop. Nobody else had seen it. The backup ran nightly to an external drive sitting on top of the server rack, plugged in permanently. Ransomware would encrypt that drive in the same sweep as everything else.
None of this is unusual. The NCSC’s own guidance makes clear that security isn’t a product you install. It’s a set of behaviours you maintain. But maintaining them requires someone whose job it is to check, and most businesses under 100 staff don’t have that person. They have an IT provider who keeps things running and assumes security is someone else’s problem.
The UK Government’s Cyber Security Breaches Survey found that 43% of businesses experienced a breach or attack in 2025. For medium-sized firms, that figure jumped to 67%. These aren’t theoretical risks. Two in three mid-sized UK companies got hit last year.
Why the Timing Problem Matters More Than the Budget Problem
Business owners tell me they can’t afford a cyber security consultant. I understand the instinct. When you’re running a 30-person company and the immediate concern is cash flow or a client deadline, spending money on someone to tell you your passwords are weak feels like a luxury.
But here’s what nobody explains clearly enough. The average breach cost for a UK SME rose to £6,400 in 2025, according to AMVIA’s research. That’s the average. Companies without Cyber Essentials certification paid significantly more. And that figure doesn’t capture the weeks of disrupted operations, the client conversations you’d rather not have, or the insurance premium increase that follows you for years.
Someone doing a proper annual security review costs less than one breach. Often considerably less. The problem isn’t money. The problem is timing. Companies call after the ransomware note, after the ICO inquiry, after the client finds out their data was exposed. By then you’re paying for incident response, forensic investigation, legal advice, and reputation management simultaneously. The consultant fee would have been a rounding error by comparison.
What to Look For (and What to Avoid)
Not every provider calling themselves a security adviser deserves the label. Some are resellers wearing a different hat, recommending products because they have margin agreements, not because the products match your risk profile. If your consultant’s first recommendation is always a specific vendor’s product, that’s a sales pitch dressed in security language.
Ask three questions before you engage anyone. First, will they produce a written risk assessment specific to your business, not a template with your logo swapped in? Second, do they test your human controls, meaning your staff’s ability to recognise social engineering, or just your technical ones? Third, can they show you a remediation plan with costs and timelines, not just a list of problems?
The M&S breach didn’t happen because Marks & Spencer lacked technology. They had security tools. They had a managed service provider. What they apparently lacked was someone asking whether the service desk could verify caller identity before resetting domain credentials. That’s a process question, not a technology question. And process questions are exactly what a proper cyber security audit is supposed to surface.
From April 2026, Cyber Essentials certification requires MFA on all cloud services. That’s a minimum. If your current IT provider hasn’t mentioned this to you yet, it tells you something about the gap between what you’re paying for and what you’re getting. A cyber security consultant would have flagged it months ago, built it into a plan, and made sure it was done before the deadline rather than the week after.